Managing sudo on your agents allows you to control which system users have access to elevated privileges. This guide helps you get started managing sudo privileges across your nodes, using a module from the PuppetForge in conjunction with a simple module you write.

Install the saz-sudo module as the foundation for managing sudo privileges.

Write a module that contains a class called privileges to manage a resource that sets privileges for certain users.

Add classes from the privileges and sudo modules to your agents.

Note: You can add the sudo and privileges classes to as many agents as needed. For simplicity, this guide describes only one.

Start by installing the saz-sudo module. It's available on the Forge, and is one of many modules written by a member of the Puppet user community. You can learn more about the module at forge.puppet.com/saz/sudo. To install the saz-sudo module, run the following command on the master:

Like in the DNS exercise, this is a small module with just one class. You'll create the privileges module directory, its manifests subdirectory, and an init.pp manifest file that contains the privileges class.

From the command line on the master, navigate to the modules directory:

cd /etc/puppetlabs/code/environments/production/modules

Create the module directory and its manifests directory:

mkdir -p privileges/manifests

In the manifests directory, use your text editor to create the init.pp file, and edit it so it contains the following Puppet code:

The sudo::conf 'admins' line creates a sudoers rule that ensures that members of the admins group have the ability to run any command using sudo. This resource creates a configuration fragment file to define this rule in /etc/sudoers.d/. It's called something like 10_admins.

Save and exit the file.

That’s it! You’ve created a module that contains a class that, once applied, ensures that your agents have the correct sudo privileges set for the root user and the admins and wheel groups.

Next, add the privileges and sudo classes to default nodes.

From the command line on the master, navigate to the main manifest:

cd /etc/puppetlabs/code/environments/production/manifests

Open site.pp with your text editor and add the following Puppet code to the default node:

The sdo::conf ‘web’ line creates a sudoers rule to ensure that members of the web group can run any command using sudo. This resource creates a configuration fragment file to define this rule in /etc/sudoers.d/.

The sudo::conf ‘jargyle’ line creates a sudoers rule to ensure that the user jargyle can run any command using sudo. This resource creates a configuration fragment to define this rule in /etc/sudoers.d/. It's called something like 60_jargyle.

Save and exit the file.

On your master, ensure that there are no errors:

puppet parser validate site.pp

The parser returns nothing if there are no errors.

From the command line on your agent, run Puppet: puppet agent -t

That’s it! You have successfully applied sudo and privileges classes to nodes.